I consult, write, and speak on running better technology businesses (tech firms and IT captives) and the things that make it possible: good governance behaviors (activist investing in IT), what matters most (results, not effort), how we organize (restructure from the technologically abstract to the business concrete), how we execute and manage (replacing industrial with professional), how we plan (debunking the myth of control), and how we pay the bills (capital-intensive financing and budgeting in an agile world). I am increasingly interested in robustness over optimization.

I work for ThoughtWorks, the global leader in software delivery and consulting.

Friday, July 09, 2010

One of the more hotly debated subjects in the recent debate on financial services reform has been the reintroduction of Glass-Stegall. Enacted in 1933, the intent was in part to prevent banks from financing speculative investments with money obtained through deposit and lending. Because of the importance of commercial banking to the stability of the economy (and, arguably, society), it was deemed unacceptable to make it easy for a bank to take imprudent risks with money for which has a stewardship responsibility. The law was substantially repealed in the 1990s. Quite a few people have suggested that it be brought back.

Whether it's appropriate or not for banking isn't the purpose of this blog post. But there is some thinking behind the separation of business activity that's worth considering in the IT context.

Retail banking serves largely a utilitarian purpose in an economy. Deposits give banks the capital to make loans to small businesses, write mortgages, and so on. This banking infrastrucure allows a community to pool its resources to grow and flourish as it would likely not be able to do otherwise. It also provides new businesses with capital at startup, and stabelizing cash through business cycles. Still, you don't loan out money to everybody who asks for some. If a bank makes loans to people and companies that aren't creditworthy, they put deposits at risk. Needless to say, commercial banks have (historically, anyway) held high lending standards because they are expected to be highly risk averse. With low risk appetite come low returns.

While low returns aren't all that exciting, there's an argument to be made that low returns are just fine for this kind of banking. The mission of a commercial bank isn't to produce outsized returns; the mission is to be a financial utility, to be stable and consistent. With stability comes confidence in the financial system (a confidence underwritten by federal deposit insurance), and that confidence is a pillar of a strong society.

Investment banks are vastly different. They are, by definition, far more risk prone. While there are conservative investment banks - banks that engage largely in advisory and research and do a minimum of trading - there is an expectation that bulge bracket investment banks will produce an outsized return by taking outsized risks. They trade their client's capital as well as their own using complex strategies specifically to generate high yield.

Instead of producing large returns, of course, investment banking can produce large losses. Because a lot of investment banks make proprietary investments with borrowed capital (that is, they make leveraged investments), a projected windfall can quickly become a bottomless pit.

Hence one of the the reasons for separating investment and commercial banking. The utility functions of commercial banking provide a fat pile of capital that can be leveraged for investment banking activity. Trouble is, there's no upside for the utility side of the bank if it allows its deposits to be exposed to outsized risk. It still pays the same rate to depositors, still collects the same rate from borrowers. For the utility, there's only downside: in a universal bank, a severe loss in investment banking puts commercial deposits at risk. Putting explicitly risk-averse capital at high risk undermines the stability of the financial system.

So, that's banking. What does any of this have to do with IT?

Just like the banking system, IT has two sides to it's house: a utility side, and an investment side. Comingling them hasn't done us much good. If it's done anything, it's confused the business mission of IT. We should separate them into independently operating business units.

A significant portion - maybe 70%+ - of IT spend is on utility services, things that keep a business operating. This includes things like data storage, servers, e-mail, office productivity applications, virus protection, security and so forth. Obviously, business is largely conducted electronically today, so a business needs these things. Restated, there's a lot of business that we simply can't conduct today without it.

These utilities don't provide return in and of themselves. They're so ubiquitous in nature, and so fundamental to how business is done, it's not an option to try to operate without them. They're the information technology equivalent of electricity or tap water. A firm does not derive competitive advantage from the type of electricity it uses. Nor do we measure return on tap water.

And like electricity or tap water, you don't typically provide your own. You plug into a utility service that provides it for you. Every volt of electricity and every gallon of water are the same.

It actually would seem a bit strange for most businesses to be providers of their own utilities. Still, most companies are in the business of providing their own IT utilities.

One reason they do is because of the stationary intertia of IT. We've injected technology into companies through captive IT departments. Nobody questions "why do we obtain these services this way", because technology has "always been provided this way."

Another is that IT services have complex properties to them that other utilities don't. Every volt of electricity is the same, but not every byte of e-mail is the same. Some contain proprietary, confidential or sensitive information. It's not enough for a firm to outsource responsibility for the protection of that data. If data confidentiality is compromised, the firm contracting for the utility is compromised. All the commercial and service level agreements in the world won't undo the damage.

Of course, these complex properties don't make them "high value added" services. They're still utilities. They're just a bigger pain in the neck than things like electricity.

It's very likely that a lot of what we do in captive IT today will be obtained as a utility service in the future. We'll buy it like tap water, metered and regulated. Obviously, this is the business model of SAAS and outsourced services. While they're still not robust enough for every business, we're seeing advances in things like networking and encryption technology that provide a greater level of accessibility and assurance. We're getting close to (if not already well past) the inflection point where it's less attractive to underwrite the risk of providing these things captively than to get them metered.

But not everything done by captive IT is utility. The remaining 30% of today's IT spend is investment into proprietary technology that amplifies the performance of the business to increase yield. This is "high value added" because it provides unique, distinct competitive advantage to the host business. Investing in these things is one way we build our businesses, and make life difficult for the competition.

Which brings us back to Glass-Stegall: just as those two forms of banking are vastly different, so are these two forms of IT.

Dividing IT along "utility" and "value added" lines is a departure from where we are today. We've put everything from disks to development under the heading of "technology" in most companies, because we've had no other way of looking at it. Technology is still in its infancy, is still relatively foreign to most people, and we're still figuring out how to apply it in business. So anything involving technology is considered foreign to a business, and attached to it as an appendix, or a tumor.

Nor is the common division of IT into "infrastructure" and "application development" the dividing line between utility and value-add. Not all infrastructure is utility, and not all app dev is value add. Firms dependent on low latency for competitive edge are not likely to get competitive advantage by hosting their applications in the cloud. Similarly, payment processing is perhaps not something that a retail site wants to invest money into development of, so it contracts to get those services.

This is not a separation of IT by the nature of the technology, but into what technology does for the host business. That portion of the business that provides outsized return - the "investment banking" portion - is what should remain captive. The rest - the "utility banking" - should be part of facilities or operations management. The expectation must also be that this division is dynamic: today's captive data center may be tomorrow's CPU cycles obtained through the cloud if there's no performance or reliability to be gained from providing it captively.

Separating utility from value add will make IT a better performing part of the business. Because they're comingled today, we project characteristics of "investment" into what are really utilities, and in the process we squandor capital. Conversely, and to ITs disadvantage, we project a great deal of "utility" into the things that are really investments, which impairs returns.

As a business function, IT has no definition on its own. It only has definition as part of a business, which means it needs to be run as a business. The risk tolerance, management, capabilities, retention risks, governance and business objectives of these two functions are vastly different. Indeed, the "business technologist" of value added IT needs a vastly different set of skills, capability, and aptitude than she or he generally has today. Clearly, they're vastly different businesses, and should be directed accordingly.

Separating the utility from the value add allows us to reduce cost without jeopardizing accessibility to utility functions, and simultaneously build capability to maximize technology investments. Running them as entirely different business units, managed to a different set of hiring expectations, performance goals, incentive and reward systems, will equip each to better fulfill the objectives that maximize their business impact.